Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December, according to Mandiant's threat intel team.
The software biz disclosed the vulnerabilities in Ivanti Connect Secure - the VPN server appliance previously known as Pulse Connect Secure - and its Policy Secure gateways on Wednesday.
That means these flaws can be exploited to seize control of an organization's Ivanti network appliances and use them to drill into that org's IT environment.
The two zero-days are: CVE-2023-46805, an authentication bypass bug; and CVE-2024-21887, a command injection vulnerability.
The list will likely continue to grow, as more organizations ... discover their devices are compromised.
As Carmakal told The Register, this number will likely increase.
Mandiant is working with Ivanti to help clean up the mess, and on Friday weighed in with its own initial analysis, promising to add more details as its investigation into the matter continues.
A couple pieces of the analysis in particular stand out.
First, Mandiant says it has identified in-the-wild abuse of the bugs as early as December by a previously unknown suspected espionage team it now tracks as UNC5221.
Earlier probing by Volexity, which discovered the zero-day holes and privately reported them to Ivanti, linked the attackers to China.
In looking into the attacks, Mandiant saw that UNC5221 primarily used hijacked end-of-life Cyberoam VPN appliances as command-and-control servers in its attacks on Ivanti customers.
The intruders used various pieces of bespoke malware to achieve persistence and avoid detection, allowing continued access to victims' networks.
The threat hunters have identified five custom malware families used by UNC5221 after it infiltrates a target via the Ivanti flaws.
One is Zipline, a backdoor that receives commands to execute on compromised devices.
It also supports file transfers in and out of infected equipment, can provide a proxy server, and can implement a tunneling server.
Thinspool is designed to add malicious webshell code to legitimate files.
This helps the cyber-spies establish persistence on compromised networks.
Wirefire, is stashed within Connect Secure appliances for remote control of the devices.
Finally, for now, anyway, there's Warpwire, a credential harvester that collects passwords and usernames to layer 7 applications in plain text, and sends them off to a command-and-control server for the snoops to use to gain further access to victims' services and systems.
Mandiant has also shared indicators of compromise, so it's worth checking those out, too.
This Cyber News was published on go.theregister.com. Publication date: Sat, 13 Jan 2024 02:43:05 +0000